Herb Lin, uno degli autori del recente rapporto US sulla Cybersecurity riassume quello che c'è nel report: - la cybersecurity è carente per via di una market failure. - IoT dirimerà la questione sulla liability del software (ad es. il tostapane IoT che brucia la casa) - la regulation serve, specie se non vengono seguite le linee guida. Mi pare un punto di vista interessante e utile anche in UE. <https://www.lawfareblog.com/regarding-report-presidential-commission-enhanci...> []

From my own perspective, it’s worth calling attention to a number of salient points that are implied but not explicitly stated in the report.

* The market has failed to provide the United States with the cybersecurity posture that it needs. Indeed, if this were not true, the commission would not have been necessary in the first place. In my view, market failure is reflected in two ways—one easier to fix, the other harder. * The first aspect of market failure is that individual entities do not do all that they should be doing to provide for their own cybersecurity needs—they don’t realize the scope and nature of the threats they face, they don’t know how to respond to those threats, they have higher and more immediate priorities for action, and so on. The report thus emphasizes ways for citizens and private sector entities to increase awareness and to plan for their cybersecurity needs using the NIST cybersecurity framework <https://www.nist.gov/cyberframework>. * The second aspect of market failure is that if these individual entities did do all that they needed to do to provide for their own cybersecurity needs (or more precisely, all that they could reasonably be expected to do), the resulting cybersecurity posture of the nation would be better than it is today. However, that posture would still be inadequate from a national perspective because of the interdependencies between these entities—the very concept of critical infrastructure rests on this premise. The report thus points out that the U.S. government has ultimate responsibility for defending the nation’s critical infrastructure, acknowledging that there are some cyber threats to the nation that the private sector working alone cannot be expected to handle. This second aspect of market failure is much harder to address than the first, because it is not in any entity’s self-interest to do for the nation more than it needs to do for itself. []